Arrangement storing different versions of a set of data in separate memory areas and method for updating a set of data in a memory

ABSTRACT

Computer-readable medium storing a data structure for supporting persistant storage of a set of data, the data structure including: (a) at least an oldest version of the set of data in first memory area, the first memory area including at least one first tag for uniqueley indentifying the oldest version, and (b) at least a most recently updated version of the set of data in a second, distinct memory area, the second memory area including at least one second tag for uniquely identifying the most recently updated version. The invention also relates to a computer arrangement including a processor and such a computer-readable medium, as well as to a method of updating sets of data having such tagged-data structures.

FIELD OF THE INVENTION

The present invention relates to memory means comprising at least oneset of data in a memory area. The memory means may be implemented withvolatile RAM devices or with non-volatile silicon devices, such asEEPROM. Flash-EPROM or ROM. Usually, such memory stores operating systemsoftware modules, application programs and application data. In areaswhere such computer systems according to the invention may beparticularly applicable, some or all of the operating system softwaremodules are stored in ROM.

DESCRIPTION OF PRIOR ART

In some applications, typically financial transaction processes, storingmust be done very safely. Such safe storage applications are known asrequiring “Atomicity of Update” in “persistent” storage means. In orderto carry out such safe updating, the use of update logs is known fromthe prior art. Such update logs register which parts of a set of datahas to be changed during an update session. Only when the set of datatogether with its updated parts has been stored in memory, allreferences to the former version of the set of data may be removed.

OBJECT OF THE INVENTION

The object of the present invention is to support persistentapplication-data storage by providing a mechanism for atomicity ofupdate for data stored in non-volatile memory devices, especially insilicon storage devices such as EEPROM or Flash-EEPROM.

SUMMARY OF THE INVENTION

Aspects of the invention are directed to methods and computerarrangements for storing a data structure for supporting the persistentstorage of a set of data. In one aspect of the invention, a method isprovided that stores, in the data structure, at least an oldest versionof the set of data and a first tag identifying the oldest version in afirst memory area. Further, the method includes storing, in the datastructure, at least a most recently updated version of the set of dataand a second tag identifying the most recently updated version in asecond memory area. The method may also include deallocating the firstmemory area following the storing of the most recently updated versionprovided there are at least two versions of the set of data in the datastructure.

The application of such unique tags related to the different memoryareas allows to uniquely identify which one of the versions are olderversions. Moreover, the application of such tags allows for identifyingwhich versions relate to the same original set of data. Thus, in amemory, different versions of different sets of data may be present atthe same time. Moreover, during updating the most recently updatedversion the older versions, as well as the most recently updatedversion, are not removed from memory. Only after an update action of themost recently updated version has been entirely completed the oldestversion of the set of data may be removed from memory.

When the updating is interrupted during an update action, the mostrecently updated version is still present in the memory, thusguaranteeing the presence of at least one valid version of the set ofdata. Thus, “Atomicity of Update” is performed that guarantees either acomplete replacement of the data or a complete unaltered copy of theoriginal data, even if the update operation is disrupted.

In one embodiment, each of the versions of the set of data are stored inone or more memory pages, and each of the memory pages includes one tag,each tag comprising references to the set of data, a version number anda page number.

A page is defined as a memory area of consecutive memory locations whichare dealt with as a unity such as appropriate for the storage technologyconcerned. Each page may correspond to one word line, thus facilitatingmemory unit read and write operations. Version numbers are assigned tothe different generations of the set of data. Thus, different versionnumbers relate to different generations. Different page numbers refer todifferent pages within the same generation of the set of data.

The invention also relates to a computer arrangement including aprocessor and at least one computer-readable medium as defined above.

Preferably, the processor is arranged to write tags with redundancy asto the content and, after having read tags from the memory means, toanalyze from the redundancy whether or not write errors have occurred.Such a redundancy can be used as an indication whether or not the tagsconcerned and the set of data to which the tags refer have valid values.

Preferably, the most recently updated version comprises a plurality ofpages, each page having a unique tag, and the processor is arranged forupdating said most recently updated version of said set of data and towrite a predetermined tag of a predetermined one of said plurality ofpages into said memory means as a last step of said updating. Thepredetermined tag, which is written last, can be read by the processor.If the processor detects the presence of this predetermined tag in thememory means, the processor can conclude that the updating action hasbeen completed entirely.

The application of such tags provides for several new options. Forinstance, at least one of the tags may include additional data as toindicate ownership and use-rights, the processor being arranged torecognize ownership and use-rights from these additional data.

The use-rights may differ for different parts of the set of data and theprocessor may be arranged to recognize these different use-rights forthese different parts.

Preferably, the processor is arranged to analyze tag values and is onlyallowed to access the versions of the set of data by reference throughthe tag values. Thus, access to the different versions of the set ofdata is not controlled by a usual program counter but by the tag values.In other words, the memory has become content addressable memory.

In the latter embodiment, the processor preferably comprises a centralprocessing unit and a distinct memory managing unit, where the tagvalues are only known to the memory managing unit. Then, the physicaladdress space of the memory means is not included in the address spaceof the central processing unit, especially not in the address spacewhere application program or operating system software instructions arestored. In this manner, additional protection against “probing” can beobtained. To realize this potential protection, the memory managing unitmay provide to the central processing unit additional interfacefunctionality with a tag-size address register.

In order to increase the safety of stored data, the memory managing unitmay encode tags with a cryptographic key prior to writing them into thememory, the cryptographic key being only known to the memory managingunit. Such a cryptographic key may relate to a cryptographic one-wayfunction.

The present invention also relates to a method for supporting persistentstorage of a set of data, comprising the steps of:

(a) storing an oldest version of said set of data in a first memoryarea, wherein said first memory area includes a first tag for uniquelyidentifying said oldest version, and

(b) storing a most recently updated version of said set of data in asecond distinct memory area, wherein said second memory area includes asecond tag for, uniquely identifying said most recently updated version.

BRIEF DESCRIPTION OF THE DRAWINGS

Hereinafter, the present invention will be described in detail withreference to some drawings which are intended only to illustrate thepresent invention and not to limit its scope.

FIG. 1 shows an example of an embodiment according to the presentinvention.

FIG. 2 shows a possible layout of a memory in accordance with thepresent invention.

FIG. 3 shows the content of memory pages in a possible embodiment of thearrangement according to FIG. 2.

FIG. 4 illustrates a method in accordance with the present invention,and

FIG. 5 illustrates a possible arrangement of a memory managing unit inaccordance with the present invention.

DESCRIPTION OF THE PREFERRED EMBODIMENT

FIG. 1 shows one possible arrangement in accordance with the presentinvention. A central processing unit 2 is connected to input/outputmeans 12 and to memory which may comprise ROM 6. RAM 8, and non-volatilememory 10. Arranged apart from or within the central processing unit 2there may be a memory manager 4. The manager 4 is arranged for carryingout memory functions which respect to the non-volatile memory 10 andpreferably also the other memory sections ROM 6 and RAM 8. Theembodiment shown in FIG. 1 relates to all kinds of management systems ofdata storage. However, the invention is especially beneficial withrespect to data storage in non-volatile silicon devices rather than onhard disks. The important applications are in the field of embeddedcomputer systems, and in single chip computers such as smart cards.

FIG. 2 shows one possible arrangement of data storage in a memory inaccordance with the present invention. The non-volatile data memory 10may be partitioned in storage units. Here, these units of memory storageare called “pages”. Conveniently, these pages may be of equal size, e.g.equal to the size of a “word-line” in silicon devices used to implementthe memory. However, the pages may be of different sizes. The content ofthe memory is managed by the memory manager 4 page by page: allocation,updates, and de-allocation of application data storage involvemanipulating one or more pages.

The memory comprises different generations (or versions) of a set ofapplication data elements. Each generation may be stored in one or morepages. In FIG. 2, the situation is shown in which the memory comprisesthree different generations k, k+1, k+2 of one set of application dataelements. The example shows that generation k occupies three pages 1, 2,and 3, generation k+1 occupies two pages i, i+1, and generation k+2occupies two pages n, n+1. Generation k is the oldest version of the setof application data elements in the memory, whereas generation k+2 isthe most recently updated version of the set of application dataelements. Each of the generations k, k+1, k+2 may, e.g., relate todifferent versions of a software object.

The generations k, k+1, and k+2 are indicated to form a “data chunk”which term is used here as a reference to one single set of applicationdata elements. Pages required for storage are allocated from anylocation in memory that is not occupied by a page as determined by thememory manager 4. The different generations k, k+1, k+2 of the datachunk shown in FIG. 2 may or may not be stored in memory in consecutivememory locations. The memory manager 4 is the unit to decide where tostore the different generations. Even the pages within one generationneed not be stored in consecutive pages. To illustrate this, pages n andn+1 are shown as being located remote from one another (indicated bydots between them).

In practice, the memory will contain several “data chunks”, i.e.,several sets of generations of different sets of data.

In a memory organized and managed in accordance with the presentinvention, atomicity of update is provided by the management policycarried out by the memory manager 4. After being stored, data related toa version of the set of application data elements will never be modifiedin the same memory area. In other words, a page once created is nevermodified. When the last updated set of application data elements needsto be amended in accordance with an application program running on thecentral processing unit 2, a new memory area, e.g., a new set of pages,is allocated by the memory manager 4. In this new memory area anychanged values together with values of data elements of, the set ofapplication data elements that have not been changed are stored by thememory manager 4. In this way, the memory 10 will hold at any time atleast one consistent, valid version of the data chunk.

Such an updating action may, e.g., relate to a smart card. Althoughupdating of data in a smart card only takes a very short time (forinstance about 3 msec) there is a small chance that the smart card isremoved from a communicating terminal prior to completing the datatransaction with the terminal. Thus, the updating may be interruptedprior to completion. When this happens, at least the last updatedversion is still present in the memory of the smart card.

In one embodiment, after completing the update of the set of data, thememory manager 4 proceeds by de-allocating the memory area storing theoldest version of the set of data. The memory manager 4 may, e.g.,control the presence of no more than 10 versions of one set ofapplication data elements. In a practical realization the applicationprogram running on the central processing unit 2 will interact with thememory manager 4 to control the process of updating its data, e.g., toindicate completion of the update. The application program will notifythe completion of the update to the memory manager 4, after which thememory manager 4 completes the writing operations in the memory 10. Suchupdate process signaling is customary in transaction processing systems.

When several versions of the set of application data elements arepresent in the memory the modification history of the data may beanalyzed through the memory manger 4. The memory manager 4 does this byproviding means for the application program running in the centralprocessing unit 2 to inspect, but not modify, data values in previousversions.

FIG. 3 shows a possible memory page structure in accordance with thepresent invention. It is assumed that the memory is divided into pages.FIG. 3 shows two pales i, i+1 . Each page i, i+1, contains applicationprogram data and a tag i, i+1 . Preferably, the tag value consists ofthree parts: a “chunk identifier” chid, a generation count gen#, and apage count pg#. The chunk identifier serves as a unique reference to aprogrammer's unit of stored data. The generation counter gen# identifiesthe version number of the data stored. At least two generations will beindicated by the generation counters gen#. The page counter pg#indicates the page number of the page concerned within the generation ofthe set of program data to which the page belongs. The page counter pg#does allow that data of a generation of a set of data is stored as amultiple number of pages.

In one specific realization of the invention the tag value is stored inthe memory using a special encoding, e.g., using redundancy for instancewith a qualifying number of bits set to one. This special encoding isused by the memory manager 4 to detect correct/incorrect data writeoperations. Only if the qualified number of bits is detected to be one(or high) the memory manager 4 decides that the tag value is valid. Ifthis qualified number of bits is not set to one, the memory manager 4decides that the tag value is invalid. Such a situation may, e.g., becaused by interrupting the power supplied to the memory device, forinstance when a user of a smart card removes his smart card from aterminal prior to completion of a financial transaction.

In such an embodiment, prior to removing the oldest generation of theset of data, the memory manager 4 will determine the validity of themost recently updated generation. The specific tag encoding method maybe determined from the physical characteristics of the silicon storagedevice used. It should be chosen to have a very high likelihood ofresulting in an invalid encoding if that memory device fails to writethe page in its entirety. In dependence on the memory chip design (i.e.the transistor technology used), before writing new data in a page, somememories will first change all memory location values of a specifiedpage into either zeros or ones. Therefore, as indicated above it issometimes better to check whether a qualified number of bits in a tag isone whereas in other cases it might be better to check the presence of aqualified number of bits to be zero. Then, if the check on the tag isfound to be correct it is a matter of known chance whether or not thecontent of the remainder of the page related to the tag is also writtencorrectly.

FIG. 4 summarizes the sequence of operations carried out by the memorymanager 4-in one embodiment of the invention when updating a version ofstored application data, as directed by an application program runningon the central processing unit 2:

a. allocating a new set of pages in the memory 10, step 40;

b. defining the tag value of each new page of the new set of pages, step42;

c. writing the application program data in its amended form and thecorresponding tags to memory 10 page by page, step 44;

d. verifying for each page written that the result is correct, step 46;this verification step may be carried out by checking the tag value asindicated above;

e. de-allocating pages that hold the oldest generation of the set ofdata, step 48.

The tag value for each new page is defmed with the assigned chunkidentifier chid, the generation count value gen# of the most recentlyprevious updated version incremented by 1, and the page count pg#.

Preferably, the pages are written to memory 10 page by page as indicatedin step c. above. Preferably one predetermined page of the set of pagesfor one set of data must be written last, whereas all other pages can bewritten in any order. Conveniently, that predetermined page is the firstpage of the new set of pages. In practice, any of the pages may bewritten in parts. For example, a tag value of the page may be writtenseparately from the application program data in the page. Preferably,however, the tag of the predetermined page, which is the last page to bewritten, is written in the last step of the updating action. This is aclear indication that the updating action has been completed. Until thattag of the predetermined page is written in memory, application programdata written to any of the new pages may also be modified. However, itis to be noted that partial writes and modifications to page data mayreduce the benefits obtainable with the invention, i.e., the totalwriting time may get longer. Writing the non-volatile memory 10, likeEPROM, takes a relatively long time, nowadays about 3 msec. Therefore,it is best to write only once to memory 10, i.e., when the entiremodified set of data is ready to be stored and not to write modifiedportions of the set of data in consecutive periods of time. Still, iftime is available, as is often the case, it is common practice in theart to write modified portions of a set of data in non-volatile memory.However, this results in an increased number of write operations whichleads to unnecessary wear of the non-volatile memory 10.

Therefore, in accordance with an embodiment of the invention,preferably, all steps necessary to completely amend a set of data arecarried out on a working copy of the set of data in RAM 8 prior towriting the amended set of data to non-volatile memory 10.

Writing the tag value of the predetermined page as the last operation inan update session is an advantageous measure in realizing the atomicityof the multi-page update. The presence or absence of a valid tag in thepredetermined page then serves as a “commit” flag: a valid tag in thepredetermined page indicates both the validity of the written page andthe irrevocable completion of the entire update process.

Memory storage of the application program data can be made even moresecure when the date stored in the memory can only be addressedphysically by the application using the chunk identifier chid. Thememory 10 then has become a “content addressable memory” (CAM).

Although the memory manager 4 and the central processing unit 2 may bewithin one physical processing unit, it is especially advantageous forthis latter feature that the central processing unit 2 and the memorymanager 4 are two physically distinct units arranged to communicate withone another. It is to be understood that “physically distinct” may stillrefer to units manufactured on a single chip. Then, the physical addressspace of the memory 10 is not included in the address space of thecentral processing unit 2, specifically not in the address space whereapplication program or operating system software instructions arestored. If, then, the memory manager 4 is also made tamper-resistant(like in a smart card), additional protection against “probing” will beobtained.

To realize this potential additional protection for e.g. smart cards,the memory manager 4 may provide additional interface functionality,e.g., containing a tag-size address register 54 and a page-data sizedata register 52 (see FIG. 5). This interface 52, 54 is thencomplemented with a logic unit 50 to carry out logic functions forscanning and matching tags stored in the memory 10. In other words, thelogic unit 50 is able to read tags from memory 10 and to address thememory 10 by analyzing the value of the tags.

The interface 52, 54 and associated logic unit 50 may be implemented inhardware.

In addition, specific hardware circuits 56. 58 will be present asinterfaces between the memory 6, 8, 10 and the logic unit 50 and betweenthe central processing unit 2 and the logic unit 50, respectively. Thelogic unit 50 may provide a dedicated address counter combined with atag-comparing logic circuit. An alternative hardware circuit may containcontent addressable memory logic circuits implemented per memory page atleast for the storage bits reserved to contain the tag value.

Additional security benefits may be obtained with a memory managedaccording to the invention when in addition to the special detectingencoding the tag value is further encoded using cryptographictechniques. Such cryptographic tag encoding intends to hide applicationdata related to structural information like chunk identifier chid,generation count gen#, page count pg#, contained in the tag values.Cryptographic encoding may be done with any encoding technique known toa person skilled in the art. One advantageous method includes the use ofsecret cryptographic one-way functions in which the one-way functionsteps are related to a secret key only known to the memory manager 4. Inthis way, the memory manager 4 is able to recognize a previousgeneration by applying the one-way function one or more times to theencoded tag value of that previous generation and then comparing theresulting tag value with the tag value of the most recently updatedgeneration. This will hamper reconstruction of application program datafrom an evil-intended forced “dump” of the memory device content.

The tagged memory structure as explained hereinbefore provides severaladvantageous options. For instance, the tag may include additional datato indicate ownership of the associated application program data.Moreover, such additional data in the tag value might indicateuse-rights or sets of use-rights for different users of the applicationprogram data. Such different use-rights may, e.g., be related todifferent access conditions to different parts of the (application)program data in the memory 10. One part of the (application) programdata may, e.g., be defined as read-only, whereas another part of theapplication program data may be defined to be read/write access.

The invention efficiently provides a transaction log stored in memorysince the memory contains the history of updates to specific applicationdata-elements in the form of consecutive generations.

As explained above, additionally, the number of write operations tomemory devices managed in accordance with the present invention may bereduced using the memory-update/transaction logging mechanism disclosed.Additionally, a reduced number of write operations provided by theinvention may result in reduced costs of the silicon storage device byextending its useful life. Security of data stored in, especially, thenon-volatile memory on tamper-resistant single chip computers, likesmart cards, is increased. The increase of security may be entirelyobtained by software measures. Hardware measures, like the distinctmemory manager 4 apart from the central processing unit 2, may furtherincrease the security but are not strictly necessary.

What is claimed is:
 1. A computer-readable medium storing a datastructure for supporting persistent storage of a set of data, said datastructure comprising: (a) at least an oldest version of said set of dataand at least one first tag for identifying said oldest version in afirst memory area; and (b) at least a most recently updated version ofsaid set of data and at least one second tag for identifying said mostrecently updated version in a second, distinct memory area, wherein thefirst memory area is deallocated when there is at least two versions ofthe set of data available in the data structure.
 2. Thecomputer-readable medium according to claim 1, wherein each of theversions of said set of data are stored in one or more memory pages, andeach of the memory pages includes one tag comprising references to saidset of data, a version number and a page number.
 3. Thecomputer-readable medium according to claim 2, wherein each pagecorresponds to one word line.
 4. The computer-readable medium accordingto claim 1, wherein the data structure is processed by a processor. 5.The computer-readable medium according to claim 4, wherein the processoris arranged to write the tags with redundancy as to their content and,after having read tags from the memory means, to analyze from saidredundancy whether or not write errors have occurred.
 6. Thecomputer-readable medium according to claim 4, wherein the processor isarranged to analyze tag values and is only allowed to access saidversions of said set of data by reference through said tag values. 7.The computer-readable medium according to claim 6, wherein saidprocessor comprises a central processing unit and a distinct memorymanaging unit, and the tag values are only known to the memory managingunit.
 8. A computer arrangement comprising: a memory including: a firstmemory area having at least an oldest version of said set of data and atleast one first tag for identifying said oldest version, and a secondmemory area having at least a most recently updated version of said setof data and at least one second tag for identifying said most recentlyupdated version; and a processor configured to process the versions ofthe set of data, wherein the most recently updated version comprises aset of pages, each page having a unique tag, and the processor isarranged for updating said most recently updated version of said set ofdata and to write a predetermined tag of a predetermined one of said setof pages into said memory as a last step of said updating.
 9. A computerarrangement comprising: a memory including: a first memory area havingat least an oldest version of said set of data and at least one firsttag for identifying said oldest version, and a second memory area havingat least a most recently updated version of said set of data and atleast one second tag for identifying said most recently updated version;and a processor configured to process the versions of the set of data,wherein at least one of said tags includes additional data as toindicate ownership and use-rights, and the processor is arranged torecognize ownership and use-rights from these additional data.
 10. Thecomputer arrangement according to claim 9, wherein said use-rightsdiffer for different parts of the set of data and the processor isarranged to recognize different use-rights for these different parts.11. A computer arrangement comprising: a memory including: a firstmemory area having at least an oldest version of said set of data and atleast one first tag for identifying said oldest version, and a secondmemory area having at least a most recently updated version of said setof data and at least one second tag for identifying said most recentlyupdated version; and a processor configured to process the versions ofthe set of data, wherein the processor is arranged to analyze tag valuesand is only allowed to access said versions of said set of data byreference through said tag value and the processor comprises a centralprocessing unit and a distinct memory managing unit, and the tag valuesare only known to the memory managing unit, and wherein said memorymanaging unit encodes tags with a cryptographic key prior to writingthem into the computer-readable medium, said cryptographic key beingonly known to the memory managing unit.
 12. The computer arrangementaccording to claim 11, wherein said cryptographic key relates to acryptographic one-way function.
 13. method for supporting persistentstorage of a set of data in a computer-readable medium, comprising thesteps of: a) storing an oldest version of said set of data and at leastone first tag for identifying said oldest version in a first memoryarea; (b) storing a most recently updated version of said set of dataand at least one second tag for identifying said most recently updatedversion in a second, distinct memory area; and (c) de-allocating,following step (b), the first memory area having stored therein theoldest version of said set of data provided at least two versions ofsaid set of data remain in said memory means.
 14. The method accordingto claim 13, comprising the further step of verifying said storing instep (b) by a predetermined operation carried out on said second tag.15. The method of updating a set of data according to claim 13, whereinsaid most recently updated version comprises a plurality of pages, eachpage having a unique tag, and a predetermined tag of a predetermined oneof said plurality of pages is stored as a last step in step (b) in orderto identify completion of said storing in step (b).
 16. A systemincluding: a computer-readable medium storing a data structure forsupporting persistent storage of a set of data, the data structurecomprising: (a) at least an oldest version of said set of data in afirst memory area including a first set of one or more pages, saidcomputer-readable medium including at least one tag for identifying saidoldest version, and (b) at least a most recently updated version of saidset of data in a second distinct memory area including a second set ofone or more pages, said computer-readable medium including at least onetag for identifying said most recently updated version; and a processorfor processing the data structure, wherein each page in the first andsecond memory areas includes one or more consecutive memory locationsthat are collectively processed during memory operations, and whereineach page further includes a respective tag having a version number ofthe set of data and a page number of the respective page.
 17. A methodfor supporting persistent storage of a set of data in acomputer-readable medium, comprising: storing an oldest version of saidset of data in a first memory area including a first set of one or morepages, wherein the computer-readable medium includes at least one tagfor identifying the oldest version, wherein each page in the firstmemory area includes one or more consecutive memory locations that arecollectively processed during memory operations; storing a most recentlyupdated version of said set of data in a second distinct memory areaincluding a second set of one or more pages, said computer-readablemedium including at least one tag for identifying said most recentlyupdated version, wherein each page in the second memory area includesone or more consecutive memory locations that are collectively processedduring memory operations; and providing each page in the first andsecond set of pages with a respective tag having a version number of theset of data and a page number of the respective page.